Metasploit For Beginners - #1 - The Basics - Modules; Exploits & Payloads Video Lecture | Get to know Ethical Hacking (English) - Software Development

hey guys hackers Floyd here back again
with another video
in this video we're going to be looking
at Metasploit alright no this is going
to be the complete Metasploit course and
this is going to take you from as an
advanced user of the Metasploit
framework alright now as I said this is
going to be an advanced course and it's
going to take a beginner to advanced so
that is the goal of the course and I'm
going to try and cover it within one
week so I'm gonna you know make the
videos and I'm gonna upload them and
hopefully you guys like the format in
which I'll be uploading them so I'm not
gonna waste time on one series I'm going
to complete it and then we move on to
the next one right so I've made a lot of
videos about Metasploit but I realized
that I really didn't cover the basics
and how to navigate around around this
and you know for most of the beginners
you really don't understand some of you
guys did not understand the the format
and and the way Metasploit worked
alright so let's get started so this is
going to be part 1 and we're gonna be
looking at all the basics to get started
with right okay so for those of you are
already asking what operating system I'm
using I'm using power tools for this
demonstration I just seem to really
really enjoy the latest update and I've
been using it as my daily driver on my
laptop as you can see I'm recording this
on my laptop so yeah let's get started
so what is Metasploit alright so
Metasploit essentially is the you know
it's the leading exploitation framework
alright so it is used by nearly every
penetration tester or ethical hacker or
hacker for that matter and it is really
really important that you master it for
you to you know to enter this field
right or to you know to prosper in this
field now it was developed by rapid7
alright so rapid7 is a company that owns
the different they don't these different
vulnerability scanners like next pose
and it again as it as I've said it or it
owns Metasploit all right now looking at
the Metasploit interfaces we have
already looked at
some throughout you know the channel and
one of them is the MSF console alright
so these are the the multiple Metasploit
interfaces so we have MSF console we
have Armitage
alright so our method is is simply put a
GUI framework that allows you to to use
the Metasploit framework the MSF console
is gives you an interactive command-line
like interface that allows you to also
use the the framework which is what
we're going to be looking at because
it's the most it's the easiest to set up
you then have the MSF CLI which is a
which is going to be a very little
literal Linux command line interface
that also allows you to use or the
Metasploit framework you then have
finally the MSF web which is the
browser-based interface which is what we
looked at where we set up the community
version and we were able to scan for our
targets and find the vulnerabilities
right so as I said we're going to be
focusing on MSF console now you know the
first thing to understand is that
Metasploit as we've looked at pre in
previous videos I really didn't show you
how to set it up correctly and how to
make it faster because most of you
realized it and a lot of you guys raised
that question do I need to start any
services yes you do need to start these
services all right no you need to start
the PostgreSQL database a service which
does come with the major penetration
testing distributions so if you if
you're running this on a normal Linux
distribution
you know I recommend that you switch to
a penetration testing distribution
because these tools would be already
pre-installed right so you don't need to
run this on your main computer like I am
you can also run it in a virtualized
environment moving along so we have to
start the PostgreSQL database all right
so what this will do is it will allow
Metasploit to run faster searches and
that will allow Metasploit to store the
information while you are performing the
scanning and/or exploitation all right
so I'm gonna open up my terminal here
and what I'm going to do is
now let me just try and zoom this in so
I should have done that before I started
the video but you know what we're just
gonna run this through the pirate
terminal because I don't want to confuse
you guys right so let me just zoom that
in so we can have a good view of what's
going on all right so it's very very
simple to start your PostgreSQL service
as you know it Linux so it's service
post very very simple post on Gress
woops my bad sorry about that
oops there we are alright so service
boost
please forgive my typing I am on a
laptop right now boost rescue alright
and we can start woops my bad again
alright and you want to start the
service now and it's gonna ask you for
your root password so make sure you
enter that and once the service is
started we can then move on to use the
MSF console alright which is the command
line interface so again start it up so
MSF console and you will see that it
will load much much faster than when you
if you didn't start up the PostgreSQL
database alright so just give it give
the first run a bit of time because
again it's building the database and it
should load up immediately right so as
you can see it's starting the Metasploit
framework console and give that a few
seconds as always now one thing I want
to just tell you and a lot of you guys
have been asking me is what are the
system requirements you know if if you
want to become a penetration tester the
truth is that the thing that you need
the most is going to be RAM now the
minimum I would recommend 2gb works fine
but if you're going to be running a lot
of penetration tests I would recommend
that you get a minimum of 4 gigabytes of
RAM and then you can post possibly
upgrade to 8 and the ideal one would be
8 to 12 alright so again you also want
to make sure that your processor can
match that so I would recommend you know
an i5 or 93 processor a good one quad
core hopefully depending on you
on what you can afford it really really
doesn't matter but if you want some
great efficiency I recommend you get a
computer with some good RAM all right so
yeah once it starts up it's really
really very simple and I've gone through
this before
now if you're wondering what are the
other ways of launching it what you can
do is go to your you know in Kali Linux
it's simply your it your menu in Paris
it lies they like the same in the same
category they lie in exploitation tools
alright so when once you open
exploitation tools you can see that the
Metasploit framework exists and it gives
you the various options that you can use
you have Armitage the Metasploit
framework and you can update it and this
is another way of accessing it if you
don't want to go through it through the
terminal all right now let's look at the
Metasploit keywords that are very very
important now this is something that I
did not fully cover so I'm gonna do it
right now
now Metasploit has six types of modules
we use mostly four of them the most all
right but I'm gonna explain them to you
so the first thing we have these
exploits all right
it has exploits it has payloads it has
the auxilary it has knobs it has post
and it has encoders all right now let me
explain what they are very very simply
and very quickly now an exploit his
model is a module that will take
advantage of a system alright so it will
take advantage of our systems
vulnerability alright so it's not gonna
you know just take advantage of a system
that is patched or does not have any
vulnerability it needs to have a
vulnerability alright and then it will
it will install a payload on the system
all right now the payload can either be
a reverse shell or a meta Preta all
right so it will give you access to that
computer in form of the payload now you
know usually with other systems or in
other environments you would usually
call these payloads things like root
kits and stuff like that but for now
just understand that the payload is what
the exploit will try and plant on the
system alright so that that will give
you that access to
system obviously through an exploit a
driven vulnerability that is then
exploited right so hope that's simple
now once I've explained that now let's
look at some of the basic commands now
one of the best comments that you know
you can use is the help command and if I
open up that up right now you can see
that oops let me there there we are
if you open this up it'll give you all
the help commands all the commands that
are very very important for you and
again this is very very useful because
it will give you the ability to at any
time you know refer to this
documentation so if you're lost this can
be a very very good way of of using or
of getting guidance using this framework
so you can go through this if you're
feeling a bit lost all right so that's
the help command very very important and
you'll find yourself using this quite a
lot right
alright now let's look at the other
commands now one of the most useful ones
is the use command because the use
command will allow you to load a module
alright so for example we can load many
many modules here and one of the most
you know the most common ones that you
can start to load is the let's see one
that comes straight off my head off the
back of my head
it is the explode yeah I think I
remember this one this was quite an old
exploit and allows us to exploit the the
Adobe Flash I think it's the plugin yeah
the Adobe Flash plugin alright so let me
try to see if I remember so use exploit
so use the use command it allows you to
use modules so then you give the module
name right so use exploit and then it
was Windows alright so it is a Windows
and then browser right and was it flash
whoops let me just bring that into
context here like so I think I already
clicked on it I'm really really sorry
about that
let me just close that up there we are
so use sorry for that I lost it by miss
so remember to use exploit windows right
[Music]
windows was it windows browser I'm not
sure if it is the correct one use
windows browser and it is the Adobe oops
Adobe Flash EVM two I believe was the
vulnerability oops underscore my bad ATM
- all right use exploit Adobe AVM -
let's see if that's the correct one
there we are alright so that is the
exploit so I'm glad I remember it right
so that is also very very useful one but
I do believe it is patched by now all
right so now it Metasploit has
successfully loaded the module now one
thing to understand is if it loads the
module correctly it will display the
module name in red all right so that's
something you know you can take home now
since it's become red we know that we
can use it now the best command to use
now in this case is the show command and
the show command will allow you to it'll
basically give you information on the
module alright so if I say show there we
are it's going to give us some
information now it may seem overwhelming
but really don't worry so it's gonna
give you some information and you really
don't need to worry about what it's
telling me because I'm using a I'm using
the flash player exploit and all of this
may seem like nonsense to you but we'll
get to how to use the correct modules
alright so as you can see it's given me
some options and very very nicely there
you you know these are the it's given us
information about the the exploit or the
module right so now what we can do is
we've already show then we've already
shown what exists the information that
exists now we can show options all right
so the options will show us the options
that we can change above the module all
right so it will give us you know the
it'll give us options that we can change
so if I say show
since there yeah it's gonna say what no
these are things that you can customize
depending on how you how and the method
of exploitation all right so you have
the server host you have the local
machine the server port whether it has
SSL at the SSL certificate you can
change all of these options all right
now the other options that we have is
the payloads will show payloads all
right
also you show the payloads just give it
a few seconds it's gonna take few
seconds obviously right so give it a few
seconds and it should load up really
anytime now again please bear with me
guys while I'm running this on a laptop
there we are
alright so these are all the payloads
that you can load now these as we have
looked at in previous videos with
Metasploit give us different different
ways of approaching an attack all right
so it will give you or it will give you
all the payloads that are compatible
with this exploit all right now if we
look at the other options so you we will
be looking at all of this if we look at
the other options we have the show
targets alright so show targets will
show you the targets that you can change
which in this case is just we have not
said anything all right now the targets
we can it's going to display the targets
that you're trying to target and you
know the thing is with a different
exploits you can have a lot of different
targets you can specify many many
targets all right and it's really
important that you get this right now
some other commands that we can use you
know that can describe that can give us
information about the module or the
exploit that we are using is the show
info alright the show info will give you
information about it will give you
information about the exploit all right
so as you can see here this module
exploits a vulnerability found in the
active X component of the Adobe Flash
Player before twelve point zero point
zero point four three all right so again
it's for a specific version and will not
work on the latest one we already knew
that right that's the trick now
there's a lot of other comments that you
can look at and one of them is at the
MSF search alright so you can use this
search command and the search command
will give you the ability to search and
find the module that you need all right
now you know Metasploit has a lot of
modules and finding one finding the
right one is probably the you know the
most important thing and it also can be
the most time-consuming so you need to
learn how to use the research command
all right now with the search command it
comes with with some very very important
keywords the search command comes with
the keywords like the platform all right
so this is to target or to search for
the platform specifically you then have
the type right this will give you the
type of module for example exploits
payloads as we already discussed you
then have the name and this is if you're
searching for a specific name right so
we can do this very very nicely right
now alright so what I'm going to do is
I'm just gonna I'm just gonna ctrl C
whoops let me just exit this alright so
I'm gonna start the MSF console again
just to show you how this would work all
right so I'm gonna start that up again
and let's just give it a few seconds and
I'm gonna show you how to do this
alright so as I said using the search
command allows you to search for
exploits so that's great and then we'll
be looking at the other ones right so
let it start up I really really sorry
about the slow startup times again you
know just bear with me it should start
up there yeah alright so that's all
saying the most important one is this
search right so if we search it's very
simple so search type all right so
that's the keyword type the type is
going to be an exploit we're going to
search for the same one so type exploit
it is an exploit the platform was
Windows the platform of Windows and
flash all right so every search for that
whoops my bad pardon me guys my typing
today is
there we are all right and it's going to
give us all of these options now the
correct one that we want is the is
probably the first one it's gonna lie up
here and there's a lot of them that you
can use or that we can use you know some
of them are they are sorted with the day
their date and this allows you to you
know specify or to get one that works
okay so what we're going to do now is we
need to set all right now when I'm
saying set you that allows you to set a
specific it allows you to set the
specific payload or the exploit that
you're trying to use in this case we can
you know you can just use the first one
because I don't want to go through all
of these ones there's a lot that you can
use over here and as you can see this is
the one that we were using previously
the exploit the AVM - it's very very
popular one at some given time so we're
gonna say set alright and I'm just gonna
paste that in there there we are and
whoops set option oh sorry about that
guys apologies apologies apologies
alright so we have to use the use and
whoops I'm gonna piss that in there use
there we are so that's the module that
we were using and then we use this set
to set the option so we can say show
options like so and we have the options
here and then to set the specific
options what you just do is you use
things like let's see if you wanted to
set the server port so usually this
would be set s RV server whoops
server port alright and we'll set that
to 80 right and that will set it to 80
we can then say we can
that other things like we can set a lot
of other stuff and once you're all set
so let's say we could say set the server
host to something like set the server
host then that's going to be the host IP
so SRV host all right to something like
four nine to one sixty eight point zero
point one of course this doesn't make
any sense because I'm not really
targeting a system and you can also set
and then you say show options again as
you can see it's going to show you the
options that you did set which we set
what the server host and the server port
and once you're ready to exploit once
you've set all the options all you have
to do is just hit exploit and it will
exploit it perfectly right so let's try
that right now and of course it's not
going to give us anything it's because
we have not done anything so every
exploit it's gonna hit exploit and it's
probably not going to return anything
important here right so just give it a
few seconds all right again as you can
see it's not displaying anything because
there we are alright so it did start a
reverse TCP Handler on a specific on
this IP using deport you know four four
four four four all right but we're not
gonna get anything out of that really
right now I'm pretty pretty sure of that
right alright so once that's done once
you're done exploiting or in this case
as you can see we have not really
exploited anything we can just let me
just close this there we are and we're
done now the last commands that I want
to show you are the exit or the back
command which takes you a step back and
you can use the exit command to exit the
Metasploit or the MSF console framework
all right and these are or that is all
the basics that I needed to cover in the
first video now in the next video we're
going to be looking at some really
really advanced stuff so we're going to
be looking at the module types we'll be
looking at performing reconnaissance the
Armitage GUI and we'll be looking at
exploiting some Windows systems and then
finally we'll be building our own custom
payloads
with the MSM venom framework or
interface all right so thank you so much
for watching this video guys if you
found value in this video please leave a
like down below and you know if you have
any questions or suggestions let me know
in the comment section down below or you
can hit me up on my social networks for
the documented article or the documented
version of this video check out my
website HS ploy comm link will be in the
description and you can also get this on
my application so guess again guys thank
you so much for watching
merry Christmas and I'll be seeing you
in the next video peace
[Music]